🔐 CVE Alert

CVE-2026-50135

UNKNOWN 0.0

Hugo: Symlink confinement bypass in resources.Get

CVSS Score
0.0
EPSS Score
0.4%
EPSS Percentile
28th

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.

CWE CWE-59
Vendor gohugoio
Product hugo
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for gohugoio hugo

Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

gohugoio / hugo
>= 0.123.0, < 0.162.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw github.com: https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a github.com: https://github.com/gohugoio/hugo/releases/tag/v0.162.0